Bouncy Castle. Do those words mean anything to you? If you are a Java developer, you might know that Bouncy Castle is an encryption library often used to generate secure hash codes and encrypt data. In other words, it is a silly project name for a serious purpose. Do you any know that old, released versions of Bouncy Castle have known security vulnerabilities? I’m not writing this to cast a shadow of doubt on the project. Bouncy Castle is an awesome open source library, as is the Spring framework, Commons HttpClient, Tomcat, and Jetty. What Bouncy Castle has in common with all of these other open source components is that old versions of each project have known security vulnerabilities.
There’s a good chance that you might not be focused on this problem. You might not be constantly evaluating your project’s dependencies to analyze the risks.
I’ve been developing enterprise software for years, and it just isn’t something most companies worry too much about. While a company might spend a great deal of money on systems and personnel to keep operating systems patched and networks secured, that same company is likely using an older version of Commons HttpClient 3.1 that presents a denial of service (DoS) vulnerability. In other words, we appreciate the vulnerability of machines and operating systems while simultaneously ignore the security characteristics of the software that runs on these platforms.
As open source becomes more important to the modern enterprise this exposure will only increase. The critical question to ask yourself given the increasing rate of change in open source is “can you keep up?”.
It just so happens that we recently launched Sonatype Insight to help with this very issue. Watch this short video to see how Sonatype Insight. can help you keep up.
Learn more about Sonatype Insight.